Sardis v0.7: Production Hardening and Fireblocks Integration

Sardis v0.7 is our biggest infrastructure release yet. We eliminated 24 technical debt items across 11 files, moving from prototype-grade in-memory stores to production-ready PostgreSQL persistence, adding institutional MPC custody via Fireblocks, and hardening authentication across every API route.

The Problem: Technical Debt at Scale

As Sardis grew from a testnet prototype to a near-production system, several critical patterns accumulated that would prevent reliable deployment: in-memory mandate and checkout stores that lost state on restart, hardcoded authentication bypasses in API routes, a webhook secret rotation endpoint that generated secrets but never saved them, and missing database tables for invoices and KYC.

v0.7 addresses all of these systematically, in 11 atomic commits that each represent a self-contained improvement.

PostgreSQL Everywhere

Three core stores have been migrated from in-memory dictionaries to PostgreSQL:

• Mandate Store -- The AP2 mandate lifecycle (create, validate, execute, cancel) now persists across restarts with full status tracking, attestation bundles, and execution results.
• Checkout Sessions -- PSP checkout sessions now persist with proper timestamps.
• KYC Verifications -- Persona KYC results are now stored in a dedicated kyc_verifications table with database lookup fallback when the in-memory cache misses.

Fireblocks MPC Signer

For institutional deployments that require Fireblocks instead of Turnkey, we added a complete FireblocksSigner implementation:

• Vault account creation with auto-fuel
• Deposit address generation per asset
• Transaction signing via Fireblocks REST API with JWT authentication
• Transaction status polling

The executor now automatically selects the Fireblocks signer when mpc_config.name == "fireblocks", with environment variables FIREBLOCKS_API_KEY and FIREBLOCKS_API_SECRET.

Authentication Hardening

Every API route that previously used hardcoded "default" or "demo_agent" values now enforces real authentication:

• Agent routes -- owner_id extracted from api_key.organization_id
• Webhook routes -- organization_id from the API key
• Marketplace routes -- Agent identity from X-Agent-Id header

Invoices API

A new /api/v2/invoices router provides full CRUD for merchant invoices: create, list (with status filtering), get by ID, and update status. The dashboard Invoices page has been rewired from mock data to the real API with loading states and error handling.

Developer Experience Improvements

• ABI Revert Decoding -- Solidity Error(string) revert reasons are now decoded from raw hex into human-readable messages
• sardis-chain exports -- Fixed ChainId, TokenConfig, GasConfig, RPCConfig, and TurnkeyConfig exports
• pnpm workspace -- sardis-ai-sdk now resolves @sardis/sdk via workspace:*
• Python 3.13 -- Pinned asyncpg>=0.30 and fastapi>=0.115 for compatibility

Critical Bug Fixes

• NameError in main.py -- app.state.turnkey_client was assigned before the variable was defined, causing a crash on every API server startup
• Schema idempotency -- ALTER TABLE migrations for the mandates table consolidated into the CREATE TABLE statement
• Webhook secret rotation -- The rotate-secret endpoint now actually persists the new secret to the database

What's Next

With v0.7 landing, Sardis is substantially closer to production readiness. If you are building AI agents that need real financial capabilities, get started with Sardis today.